Introduction
Simple FastAPI declarative endpoint-level access control, somewhat inspired by Pyramid.
Installation
Why use Missil?
For most applications the use of scopes to determine the rights of a user is sufficient enough. Nonetheless, scopes are tied to the state of the user, while 'missil' also take the state of the requested resource into account.
Let's take an scientific paper as an example: depending on the state of the submission process (like "draft", "submitted", "peer review" or "published") different users should have different permissions on viewing and editing. This could be acomplished with custom code in the path definition functions, but Missil offers a very legible and to-the-point to define these constraints.
Quick usage
import missil
from fastapi import FastAPI
from fastapi import Response
from datetime import datetime
from datetime import timezone
from datetime import timedelta
app = FastAPI()
TOKEN_KEY = "Authorization"
SECRET_KEY = "2ef9451be5d149ceaf5be306b5aa03b41a0331218926e12329c5eeba60ed5cf0"
bearer = missil.FlexibleTokenBearer(TOKEN_KEY, SECRET_KEY)
rules = missil.make_rules(bearer, "finances", "it", "other")
@app.get("/", dependencies=[rules["finances"].READ])
def read_root():
return {"Hello": "World"}
@app.get("/set-cookies")
def set_cookies(response: Response) -> None:
"""Just for example purposes."""
sample_user_privileges = {
"finances": missil.READ,
"it": missil.WRITE,
}
token_expiration = datetime.now(timezone.utc) + timedelta(hours=8)
token = missil.encode_jwt_token(sample_user_privileges, SECRET_KEY, token_expiration)
response.set_cookie(
key=TOKEN_KEY,
value=f"Bearer {token}",
httponly=True,
max_age=1800,
expires=1800,
)
Disclaimer
Scopes did not meet my needs and other permission systems were too complex, so I designed this code for my and my team needs, but feel free to use it if you like.
License
This project is licensed under the terms of the MIT license.